40 Windows apps contain critical bug, says researcher
By Gregg Keizer on Aug 20, 2010About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, a security researcher said Wednesday.
The bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs, said HD Moore, the chief security officer of Rapid7 and creator of the open-source Metasploit penetration testing toolkit. Moore did not reveal the names of the vulnerable applications or their makers, however.
Each affected program will have to be patched separately.
Moore first hinted at the widespread bug in a message on Twitter on Wednesday. "The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell," he tweeted, then linked to an advisory published by Acros, a Slovenian security firm.
That advisory detailed a vulnerability in iTunes for Windows that hackers could exploit by persuading users to download and open a malformed media file, or by duping them into visiting a malicious Web site, where they would fall to a drive-by attack.
Apple patched the iTunes for Windows bug last March when it updated the music player to version 9.1. According to Apple, the bug does not affect Mac machines.
Acros' advisory insinuated that the vulnerability was in more than just iTunes. "Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation," the warning said.
It would have been odd for Acros to note the possibility of exploitation if the bug was iTunes-only and had been patched months earlier.
Tagged as:
